Data Processing Agreement
This Data Processing Agreement (“DPA”) forms part of the agreement between Cardneto and the Event Organizer (“Controller”) and applies to the processing of personal data under the General Data Protection Regulation (EU) 2016/679 (“GDPR”).
Last Updated: 15 January, 2026
Parties & Roles
• Data Controller:
The Event Organizer using the Cardneto platform to manage event networking.
• Data Processor:
Cardneto, operated by Envatech Solutions S.R.L., providing a digital networking platform and related services.
Roles under GDPR:
• The Organizer determines the purposes and means of processing.
• Cardneto processes personal data only on documented instructions from the Organizer.
Purpose of Processing
Cardneto processes personal data solely for the purpose of:
• Enabling networking between event participants
• Managing event-related interactions (connections, meetings, chats)
• Providing event analytics and engagement insights
• Supporting platform functionality and security
Cardneto does not process personal data for advertising, resale, or unrelated commercial purposes.
Categories of Data & Data Subjects
3.1 Data Subjects
• Event attendees
• Speakers
• Sponsors
• Organizers’ staff or administrators
3.2 Categories of Personal Data
• Identification data (name, role, company)
• Contact data (email, phone, social links) only if shared by the user
• Profile information voluntarily provided by users
• Event interaction data (connections, meetings, messages)
• Aggregated and anonymized usage analytics
Cardneto processes only data strictly necessary to deliver the service.
Processor Obligations (Cardneto)
Cardneto commits to:
Process personal data lawfully, fairly, and transparently
Act only on documented instructions from the Organizer
Ensure confidentiality of all processed data
Implement appropriate technical and organizational security measures
Not engage another processor without appropriate safeguards
Assist the Organizer in fulfilling GDPR obligations where applicable
Never sell personal data
Never share personal data for third-party marketing or advertising
Security Measures
Cardneto applies industry-standard security practices, including:
• Encryption of data in transit and at rest
• Role-based access control
• Secure authentication mechanisms
• Regular system monitoring and updates
• Restricted internal access to personal data
Security measures are designed according to the principles of privacy by design and by default.
Sub-processors
Cardneto may use trusted sub-processors strictly for service delivery (e.g. hosting, email delivery, infrastructure).
Cardneto ensures that:
• All sub-processors are GDPR-compliant
• Sub-processors are bound by data protection obligations equivalent to this DPA
A current list of sub-processors is available upon request.
Data Subject Rights
Cardneto assists the Organizer, where applicable, in responding to requests from data subjects regarding:
• Access
• Rectification
• Erasure
• Restriction of processing
• Data portability
Such assistance is provided within reasonable technical limits and according to Organizer instructions.
Data Retention & Deletion
Personal data is retained only for the duration necessary to provide the services
• Upon event completion or Organizer request:
• Data may be deleted or anonymized
• Upon termination of services:
• All personal data will be deleted or returned, unless retention is required by law
International Data Transfers
Cardneto processes data primarily within the European Economic Area (EEA).
If transfers outside the EEA occur, Cardneto ensures appropriate safeguards in accordance with GDPR (e.g. Standard Contractual Clauses).
10. Audits & Compliance
Upon reasonable request, Cardneto shall make available information necessary to demonstrate compliance with this DPA and GDPR obligations.
11. Liability
Each party remains responsible for its own compliance with GDPR.
Cardneto is responsible for processing activities within its role as Data Processor.
The Organizer remains responsible for lawful data collection and user consent.
12. Governing Law
This DPA shall be governed by and interpreted in accordance with European Union data protection law, and where applicable, the laws of the Organizer’s jurisdiction.
13. Contact & Support
For data protection inquiries:
Business Hours:
Monday–Friday, 09:00–18:00 EET
Response Time:
Most inquiries are answered within 24 hours.
This DPA is designed to be clear and accessible. For specific legal requirements, organizers may integrate it into their contractual framework.
